Google’s Android Red Team Had a Full Pixel 6 Pwn Before Launch

The security benefits of the onboard Titan M2 security chip was one of the key features of the Pixel 6 and 6 Pro. With so many new equipment coming out at once, the company needed to be extra careful. At the Black Hat security conference in Las Vegas today, members of the Android red team recount their mission to hack and break as much as they could before the launch of the new phone.

The red team caught a number of flaws while trying to attack thePixel 6. The first piece of code that runs when a device boots up is vulnerable. The flaw could have been exploited by attackers. It was important because the exploit could persist even after the device was shut down. The red teamers used a group of vulnerabilities to defeat the Titan M2, a crucial finding given that the security chip needs to be trustworthy to act as a sort of sentry and validator.

One of the red team leads told WIRED that this is the first proof of concept ever to be publicly talked about. Not all of the vulnerabilities were critical on their own. The impact was created when you chain them together. The exploits in this chain were patched prior to the release of the game, because the developers wanted a red team to focus on them.

The researchers say that the red team spends a lot of time on real exploits for the bugs. A better understanding of how exploitable, and therefore critical, different flaws really are and sheds light on the range of possible attack paths will allow the team to develop comprehensive and resilient fixes.

The team uses an array of approaches to find bugs. Manual code review and static analysis, automated methods for mapping how a codebase works, and looking for potential problems in how the system is set up are some of the tactics used. The team invests a lot of money in developing tailored "fuzzers" that it can hand off to other teams to catch more bugs.

A fuzzer is a tool that can cause a service to crash or reveal a security vulnerability. We build fuzzers and give them to other teams so they can keep running them. Outside of finding bugs, our red team has accomplished something nice. We are institutionalizing fuzz.